"The weakness is directly within Siri and compromises iOS 7's ability to control common tasks that should be based on permissions," Tyler Rorabaugh, Cenzic's vice president of engineering, wrote in a company blog post.

Unauthorized users should not be able to do anything on locked mobile devices, except call 911.

Staffers in Tom's Guide's New York office were able to replicate Cenzic's findings, and used Siri to post Facebook status updates from locked iOS 7 phones.

Cenzic posted a video on YouTube showing the researchers who discovered the flaw, Abhishek Rahirikar and Michael Yuen, posting status updates on Rorabaugh's Facebook page using his phone.

Using Siri to bypass iPhone lockscreen

Some of the same flaws exist in iOS 6 as well, Rorabaugh wrote.

"By, default Siri is turned on even after the iPhone is locked," Rahirikar told Tom's Guide in an email. "It can still post on things like Twitter [and] Facebook, [and] it can be used to view calling history.

"Access controls in Siri are not comprehensive," Rahirikar said. "You need to turn Off Siri completely, or turn off Siri when the phone is locked, using [an] iPhone setting. But by default it is turned on and vulnerable."